Just like the US highway infrastructure, Tor needs new bridges. The encrypted anonymizing "darknet" that allows activists, journalists, and others to access the Internet without fear of censorship or monitoring—and which has also become a favored technology of underground groups like child pornographers—is having increasing difficulty serving its users in countries that have blocked access to Tor's entry points. Tor bridges are computers that act as hidden gateways to Tor's darknet of relays. After campaigning successfully last year to get more volunteers to run obfuscated Tor bridges to support users in Iran trying to evade state monitoring, the network has lost most of those bridges, according to a message to the Tor relays mailing list by Tor volunteer George Kadiankakis.
"Most of those bridges are down, and fresh ones are needed more than ever," Kadiankakis wrote in an e-mail, "since obfuscated bridges are the only way for people to access Tor in some areas of the world (like China, Iran, and Syria)." Obfuscated bridges allow users to connect to the Tor network without using one of the network's known public bridges or relays as an initial entry point.Obfuscated bridges have become a necessity for Tor users in countries with networks guarded by various forms of deep packet inspection technology, where censors have put in place filters that spot traffic matching the signature of a Tor-protected connection. Some of these censors use a blocking list for traffic to known Tor bridges. To circumvent detection, Tor users can use a plugin called a "pluggable transport" to connect to an obfuscated bridge and mask their network signature.
To further evade potential censoring, the addresses for obfuscated bridges are not part of Tor's main directory but are stored in a distributed database called BridgeDB. The BridgeDB's interface spoons out addresses two at a time per request in an effort to prevent attacks to expose a full list, and no BridgeDB instance keeps a full list of the available bridges. Additionally, Tor provides "unpublished" bridge addresses to users who request them via e-mail. The Tor Project's support assistants—volunteers who respond to support requests—only respond to requests to e-mails from Gmail and Yahoo e-mail accounts to both deal with the flood of requests and reduce the chance that an attacker will be able to learn the addresses of a large number of bridges.
The problem for Tor is that those bridges do get detected by attackers over time, and pluggable transports can eventually be detected. The most widely used pluggable transport in the Tor network, obfs2, no longer works in China. A new plugin, obfs3, will work in China, but it runs only on the latest version of the obfuscated bridge proxy—which was recently rewritten in Python.
"Looking into BridgeDB," Kadiankakis wrote in his message to the Tor community, "we have 200 obfs2 bridges, but only 40 obfs3 bridges: this means that we need more people running the new Python obfsproxy! Upgrading obfsproxy should be easy now, since we prepared new instructions and Debian/Ubuntu packages." He added that there is also a particular need for more unpublished bridges.
For those who want to donate bridges to the Tor network, the easiest route is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image created by the Tor Project that allows people to leverage Amazon's free usage tier to deploy a bridge.